Re: Securing NTP

To increase the security of NTP you should use NTP authentication. That would need also to be enabled on the server also, and this may not be an option if the servers are not under your control. NTP authentication will however not stop your router from responding to port scans on this port. Enabling access-lists next to NTP authhentication that will take care of port scans as all NTP packets from sources you do not permit will be silently discarded.

Re: Securing NTP

Anders

John has suggested one approach using access lists and access-group to apply the access list on an interface. And it would effectively prevent other machines from seeing NTP activity on your router. If you already have an access list assigned on the interface it would be easy to incorporate this logic into it.

There is another approach to securing NTP and it would not involve an access list looking at every packet going through an interface but would only act on traffic to the router for NTP. You can use ntp access-group to secure NTP traffic and only allow NTP from addresses that you specify. There is an ntp access-group peer which uses a standard access list to control to whom you look to learn NTP (would be both ntp server and ntp peer addresses) and there is an ntp access-group serve-only which uses a standard access list to control to whom you will offer NTP (your ntp peer and any other machines that look to this router for ntp). This is a more targeted approach to securing NTP than using access lists applied to interfaces. Conceptually it is similar to the way that you can use access-class under the VTY to control who can access the router remotely as a more efficient solution that using access lists on interfaces to control telnet or ssh access packets.

Re: Securing NTP

Anders

I do not know how the scan identifies active or listening ports. Does it send a packet on that port and listen for a response? In that case I would think that the ntp access-group would prevent the scan from reporting your router. Or does the scan send a packet on that port and listen for the "port unreachable" response? In that case I am not clear whether the ntp access-group would prevent your router being listed or not.

I agree that the language is difficult to understand. In my experience any address that you have configured in ntp server needs to be permitted in ntp access-group peer. You would permit in ntp access-group serve (or serve-only) addresses for which you would send time if they send a request to you.

Re: Securing NTP

It is my understanding that if you have ntp master configured, you must also have peer access to source 127.127.7.1. The NTP master command creates 127.127.7.1, to which the local router synchronises to.

This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
"Th...
view more

Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
1. commandoversms.tcl
2. PDF with instructions on how to load and use the .tcl file.